漏洞平台

POC详情： 3cea8f57b0317ceb851b8688ad847ecbdd274863

来源

https://github.com/faisalfs10x/http-vuln-cve2019-14322.nse

关联漏洞

标题： Pallets Werkzeug 路径遍历漏洞 (CVE-2019-14322)
描述：Pallets Werkzeug是一款WSGI Web应用程序库。 Pallets Werkzeug 0.15.5之前版本中存在安全漏洞，该漏洞源于SharedDataMiddleware错误处理了Windows路径名称中的驱动程序名（例如：C:）。攻击者可利用该漏洞访问任意文件。

描述

Nmap NSE script to detect CVE-2019-14322 of Pallets Werkzeug path traversal via SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames

介绍

# http-vuln-cve2019-14322.nse

- Nmap NSE script to detect CVE-2019-14322 of Pallets Werkzeug path traversal via SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames

# Description

- CVE-2019-14322 - A vulnerability was found in Pallets Werkzeug up to 0.15.4. It has been declared as critical. This vulnerability affects the function SharedDataMiddleware of the component Windows. 
- The manipulation with an unknown input leads to a directory traversal vulnerability. The CWE definition for the vulnerability is CWE-22. 
- This script reads c:/windows/win.ini as a proof of concept.
- This vulnerability is running on (cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*, cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:x64:*)


# Clone and Install

- git clone https://github.com/faisalfs10x/http-vuln-cve2019-14322.nse
- cd http-vuln-cve2019-14322.nse/
- sudo cp http-vuln-cve2019-14322.nse /usr/share/nmap/scripts/

# Usage
-----


    $ nmap --script http-vuln-cve2019-14322.nse -p <port> <target>

    PORT    STATE SERVICE
    443/tcp open  https
    | http-vuln-cve2019-14322: 
    |   VULNERABLE:
    |   Pallets Werkzeug path traversal via SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames
    |     State: VULNERABLE
    |     IDs:  CVE:CVE-2019-14322
    |       		
    |       A vulnerability was found in Pallets Werkzeug up to 0.15.4. It has been declared as critical. 
    |       This vulnerability affects the function SharedDataMiddleware of the component Windows. 
    |       The manipulation with an unknown input leads to a directory traversal vulnerability. The CWE definition for the vulnerability is CWE-22.
    |       This script reads c:/windows/win.ini as a proof of concept.
    |       This vulnerability is running on (cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*, cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:x64:*)
    |       		
    |           
    |     Disclosure date: 2019-07-28
    |     References:
    |       https://www.cvedetails.com/cve/CVE-2019-14322/
    |       https://vuldb.com/?id.138886
    |       https://palletsprojects.com/blog/werkzeug-0-15-5-released/
    |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14322
    
    Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds
    
    
 # Published in:

- https://github.com/nomi-sec/PoC-in-GitHub#cve-2019-14322-2019-07-28

文件快照


 [4.0K]  /data/pocs/3cea8f57b0317ceb851b8688ad847ecbdd274863
├── [3.6K]  http-vuln-cve2019-14322.nse
├── [1.0K]  LICENSE
└── [2.3K]  README.md

0 directories, 3 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。